Blog

How to Build a Company AI Policy in 2026

How to build a company AI policy in 2026 — a five-section framework covering approved tools, quality standards, data governance, disclosure, and accountability for $5M–$25M companies.

Phos Team ·
Phos AI Labs Compliance Operations

In 2026; an AI policy is not optional for a company that uses AI on client work.

Clients are asking. Employment lawyers are adding AI clauses to standard contracts. Some professional liability insurers have begun asking about AI governance as part of renewal conversations.

The question is not whether to have a policy; it is whether to have one that was written in an afternoon with a clear framework or one that arrives from a consultant at $15,000 and is never read again.

This article gives a specific; complete framework for building an AI policy appropriate for a $5M–$25M non-tech company.

It covers what the policy must address; what can be safely omitted; and how to keep it current as AI practices evolve.

The result is a two-to-three-page working document that answers the questions clients; employees; and boards are starting to ask.

Section 1: Approved tools and use cases

What this section contains

A specific; accurate list of the AI tools the company uses; the use cases each is approved for; and the access permissions by role.

The format

APPROVED AI TOOLS
-----------------

[Tool name] | Tier: [e.g., Claude Teams / ChatGPT Plus / GPT-4 API]
Approved use cases:
  - [Use case 1 — specific]
  - [Use case 2 — specific]
  - [Use case 3 — specific]
Not approved for:
  - [Restriction 1]
  - [Restriction 2]
Access: [All staff / Specific roles / Requires approval]
Data processing agreement: [Yes — location: [link] / No — data restrictions apply]

[Repeat for each tool]

What to include

All AI tools used in company operations; including those configured in a private AI workspace; and tools individual team members use independently on company work. The policy that lists only the company-sanctioned tools while team members use additional personal AI tools on client work has a governance gap.

The grey area of personal AI use on work tasks:

The most practical approach: “Personal AI tool accounts may be used for company work tasks provided the tool is listed in the approved registry or explicitly approved by [role]. Use of unapproved AI tools on client-sensitive work is not permitted.”

This creates a lightweight approval process without being restrictive; and prevents the governance gap of team members using tools the policy does not address.

The most common oversight

Tools embedded in existing software; HubSpot’s AI features; Notion AI; Grammarly’s AI writing tools; and similar; are often omitted from AI policies because they are perceived as product features rather than AI tools.

In 2026; these embedded AI features have their own data processing implications. Include them.

Section 2: Quality and review standards

What this section contains

The standards that govern AI output quality and the human review that must occur before AI outputs are used in client-facing or consequential contexts.

Why this section matters legally

For professional services companies; professional liability extends to outputs the company produces; regardless of whether AI produced them.

The quality and review standards section documents that the company has a human oversight layer that would satisfy a “reasonable professional standard” test if challenged.

The format

QUALITY AND REVIEW STANDARDS
-----------------------------

All AI-assisted outputs are subject to human review before use in the following contexts:
  - Client-facing deliverables: reviewed by the responsible account lead
  - Financial calculations and projections: reviewed by the finance lead
  - Legal or contractual language: reviewed by [role] and, where required,
    outside counsel
  - External communications sent to clients: reviewed by the sender

Outputs in the following categories require additional review:
  - Outputs used in competitive bid situations: reviewed by a senior team member
  - Outputs involving sensitive client information: reviewed for accuracy and
    data handling compliance

AI is not authorised to take the following actions without explicit human approval:
  - Send communications to clients or external parties
  - Process payments or approve financial transactions
  - Make binding commercial commitments
  - [Add actions specific to the company's operations]

Quality standard: AI-assisted outputs must meet the same quality standard as
manually produced outputs before use. The human reviewer is accountable for the
quality of the final output regardless of AI involvement.

Section 3: Data and confidentiality governance

Why this section requires the most care

The question “does client data enter AI tools?” and the answer to it determine the company’s exposure under NDAs; client contracts with AI clauses; and data protection regulations.

Vague answers create compliance gaps. Specific answers that are accurate create the documentation trail that protects the company.

The format

DATA AND CONFIDENTIALITY GOVERNANCE
-------------------------------------

WHAT DATA ENTERS AI TOOLS:
AI tools in the approved registry may receive:
  - Non-confidential operational data (scheduling, internal communications,
    public information)
  - Anonymised or aggregated client data for workflow processing
  - Specific client data only when: [the client has been informed; the tool has
    a signed DPA; the task requires it]

WHAT DATA DOES NOT ENTER AI TOOLS:
The following categories require explicit approval from [role] before entering
any AI tool:
  - Personally identifiable client information beyond what is minimally necessary
  - Confidential financial information
  - Data covered by confidentiality agreements that restrict third-party processing
  - Data regulated under [applicable regulation — HIPAA, GDPR, CCPA, as relevant]

DATA PROCESSING AGREEMENTS:
Tools with active DPAs:
  - [Tool]: [DPA summary — e.g., no training on customer data; EU data
    residency option available]
  - [Tool]: [DPA summary]

For tools without a DPA: only non-confidential data; not approved for
client-sensitive work.

CLIENT CONTRACT COMPLIANCE:
Where client contracts include AI-specific clauses, those clauses take
precedence over this policy. The account lead is responsible for identifying
relevant client contract AI clauses before AI tools are used on that client's
work.

The most common data governance gap

Client contracts increasingly include one of three AI-specific clauses:

Clause typeWhat it requires
ProhibitionAI tools may not be used on this client’s work without consent
Disclosure requirementAI use must be disclosed proactively
Consent requirementSpecific AI tool use requires client sign-off

Account leads who are unaware a client contract has one of these clauses can create inadvertent breach. The policy must name the person responsible for checking; and the check must happen before any AI work begins on a new client engagement.

Section 4: Disclosure framework

The disclosure philosophy

The disclosure framework is not a risk mitigation tool. It is a trust-building tool.

A company that discloses AI use proactively; in plain language; framed as a quality commitment; builds more trust than one that buries disclosure in contract appendices and hopes clients do not ask.

The format

AI DISCLOSURE FRAMEWORK
------------------------

PROACTIVE DISCLOSURE:
[Company] discloses AI use to clients as part of standard engagement onboarding.
The disclosure covers:
  - What AI tools are used in our work
  - What types of tasks AI assists with
  - What quality and review standards apply to AI-assisted outputs
  - How client data is handled by AI tools

Delivery: at engagement kickoff; verbally and in the onboarding documentation
provided to each new client.

REACTIVE DISCLOSURE:
If a client asks whether AI was used in producing a specific output; the
accurate answer is provided directly.

Standard response: "Yes, we use AI to assist with [specific tasks]. Every
output you receive from us has been reviewed and approved by a team member
before delivery."

STANDARD DISCLOSURE LANGUAGE:
For proposals, engagement letters, or client conversations:

"[Company] uses AI tools to assist with [specific tasks — e.g., research,
first-draft production, data analysis]. Every deliverable you receive has
been reviewed and approved by a qualified team member before delivery. Our
use of AI is designed to improve the quality, speed, and specificity of our
work; not to replace the professional judgment of the team working on your
account."

WHAT NOT TO SAY:
  - "We don't really use AI that much" — creates a trust risk if contradicted
  - "Everything is done by our team" — inaccurate if AI assists
  - "AI just helps with the admin stuff" — misleading if AI assists with
    client-facing work

Why proactive disclosure works better than defensive disclosure

Three reasons:

  • It controls the narrative. A client who hears about AI use from the company before asking has a different reaction than one who asks and receives a reactive answer.
  • It positions AI as a quality feature; not a cost-cutting measure. The framing “designed to improve the quality; speed; and specificity of our work” is a value proposition; not a disclaimer.
  • It prevents the trust damage of discovery. The client who discovers AI use in a way they were not prepared for; through an output that feels uncharacteristically generic; loses trust disproportionately to the actual exposure.

Section 5: Ownership and accountability

The format

OWNERSHIP AND ACCOUNTABILITY
------------------------------

POLICY OWNER: [Name / role]
Responsibilities:
  - Reviewing and updating the policy quarterly or when significant tool or
    practice changes occur
  - Adding new tools to the approved registry when approved
  - Communicating policy updates to the full team
  - Fielding team questions about policy interpretation

AI SYSTEM OWNER: [Name / role]
Responsibilities:
  - Maintaining the AI tools and context layer used in company operations
  - Monitoring AI output quality and flagging quality concerns to the policy owner
  - Onboarding new team members to the AI system and policy
  - Maintaining the data processing agreement register

TEAM MEMBER RESPONSIBILITIES:
All team members are responsible for:
  - Using only approved AI tools for company work
  - Following the quality and review standards for all AI-assisted outputs
  - Reporting AI outputs that do not meet the quality standard or that raise
    data handling concerns
  - Notifying [role] if a client contract contains AI-specific clauses before
    using AI on that client's work

POLICY COMPLIANCE:
Non-compliance with this policy; particularly regarding data governance and
client disclosure; is treated with the same seriousness as non-compliance with
the company's confidentiality and professional conduct standards.

REVIEW SCHEDULE:
Quarterly review. Next scheduled review: [date].
Significant mid-quarter changes communicated to the team within two weeks.

Keeping the policy current: the 2026 maintenance challenge

Why quarterly review is the minimum

The AI tool landscape; the regulatory environment; and client contract expectations are all changing at a pace that makes annual reviews inadequate.

A policy accurate in January 2026 may be materially out of date by June because:

  • A tool’s data processing terms changed (has happened with major AI providers)
  • A new tool was adopted without being added to the registry
  • A new client contract includes AI clauses that affect the company’s practices
  • Sector-specific AI regulations continue to emerge in healthcare; financial services; and legal

The quarterly review checklist

QUARTERLY AI POLICY REVIEW
----------------------------

[ ] Tool registry current?
    Are all AI tools the team actually uses on the approved list?
    Have any been dropped? Have any been added without policy update?

[ ] DPAs current?
    Have any listed tools updated their data processing terms?
    Have new DPAs been signed?

[ ] Client contract changes?
    Have any new client contracts included AI clauses that affect practice?

[ ] Practice changes?
    Has AI use changed in ways not reflected in the policy?
    New use cases, new teams using AI, new automation deployed?

[ ] Team awareness?
    Do all team members know the current policy?
    Have new team members been onboarded to it?

Run this checklist quarterly. Each “no” produces a policy update; not a flag for next year.

Common questions on building a company AI policy

”Does an AI policy need to be reviewed by a lawyer?”

The data governance section benefits from legal review; specifically the DPA register; the confidentiality clauses; and any sector-specific regulatory requirements (HIPAA; GDPR; CCPA).

The rest of the policy (tool registry; quality standards; disclosure framework; accountability) is operational governance that does not require legal review for most $5M–$25M companies. Write it; use it; and have counsel review the data section.

”What if our AI use is minimal: do we still need a policy?”

If any team member uses any AI tool on any client work; a policy is appropriate.

“Minimal” use today can become regular use quickly; and a policy built before the practice is significant is easier to maintain than one built retroactively.

The policy also serves as the governance framework for decisions about new tool adoption. Without it; each new tool decision is made ad hoc.

”How do we communicate the AI policy to the team without creating anxiety?”

Frame it as operational governance; not as a warning.

“Here is how we use AI; what standards apply; and who is responsible” is a policy introduction. “Here are all the things you cannot do with AI” creates the anxiety you are trying to avoid.

The announcement of the policy should be paired with the disclosure framework language; so the team understands that the policy enables confident AI use rather than restricting it.

”What happens when an employee violates the AI policy?”

The accountability section names the consequence: non-compliance with data governance and client disclosure is treated the same as non-compliance with confidentiality standards.

In practice; most violations are not intentional; they are gaps in awareness.

A team member who used an unapproved tool because they did not know it was unapproved needs a policy update; not a disciplinary response.

A team member who knowingly enters confidential client data into an unapproved tool after explicit guidance needs the proportional response defined in the standard employment conduct framework.

”Should the AI policy be made public or is it internal only?”

The policy itself is internal. The disclosure language in Section 4 is the external-facing version; designed for client communications.

Exception: some clients will ask to review the company’s AI governance framework as part of their own procurement process. In that case; sharing the policy (with DPA details appropriately redacted) demonstrates governance maturity.

”What is the difference between an AI policy and the AI usage guidelines described in this series?”

The AI usage guidelines (workflow specifications; context pack; voice guide; decision rules) are operational documents that tell the AI and the team how to produce specific outputs. They govern quality.

The AI policy governs accountability; disclosure; and data handling. It tells the company; the clients; and the regulators how AI is used; not how it should be used to produce good outputs.

Both are needed. They are different documents for different purposes.

Want the AI policy built alongside the AI system: so the governance reflects what is actually running?

An AI policy for a $5M–$25M company in 2026 is a two-to-three-page working document; not a forty-page governance manual.

Five sections; approved tools; quality standards; data governance; disclosure framework; and accountability; answer the questions clients; employees; and boards are starting to ask.

The company without an AI policy in 2026 is not just missing a document. It is operating without answers to questions that will be asked.

Path one: build the policy this week. Use the five-section format and template blocks above. Start with Section 3 (data governance) and Section 4 (disclosure framework); the two sections clients are most likely to ask about. The remaining three sections can be completed in a single two-hour session.

Path two: build the policy alongside the system. Phos AI Labs Phase 1 and Phase 3 engagements produce the practice map; tool registry; and data handling documentation that the policy requires. The governance reflects what is actually running; not what the company hoped would be running when the policy was written. We have run 400+ AI engagements. Clients include Zapier, Coca-Cola, Medtronic, Dataiku, and American Express. Thirty minutes, no deck. Start here.

Related articles

How to Own and Control Your AI Data

How to Own and Control Your AI Data
Shared AI Knowledge Base vs Individual ChatGPT Accounts

Shared AI Knowledge Base vs Individual ChatGPT Accounts

The fastest way to know whether we're the right fit, is a conversation.

STEP 1/2 · ABOUT YOU